Not all applications are created equal. Not all users are created equal. Different users need access to different applications; different users need different access to these applications. We call this role based provisioning. Based on a user's role they get access to the appropriate applications. Again, based on their role, they get differing level of permissions within those applications.
The interesting part is that you also have on premise and cloud applications to provision. It's not enough just to create an AD & Exchange account and let the application owners handle the rest. Not in a true identity management system, one where you are managing roles and permissions centrally and dynamically.
Centrally, you have a role repository and metadirectory. To correctly provision all of these users to these disparate applications, you need connectors to all your applications. Building these connectors based on APIs allows you to map any roles and attributes from your central identity store.
It doesn't matter if this is an on-premise or cloud application, the principle is exactly the same. Your "person" identity in the metadirectory "joins" all of your accounts. If your role says that you should have an account in the application, the connector creates the account and then inventories any changes that affect it going forward.
If your user changes jobs, automated provisioning means that their applications and permissions within those applications change. Moving from Finance to Sales? Your accounting software application account is deprovisioned and your Salesforce.com account is provisioned. Role based provisioning lifecycle! There isn't even an acronym for that it's so cool.
This is what identity and access management is about, giving the right users the right access to the right resources at the right time. Automated provisioning really is this powerful and possible. Let us take you on a tour of EmpowerID to show you what it can do.